You are on page 1of 32

T58

CHAPTEB 5 I

D"ta, PDA, and Cell Phone Forensics
that the evidence collected was not altered or tainted in any way, and knowing how the technology works will help the forensic examiner understand how data
can be saved or altered.

Basic Hard Drive Technology
Most computer users are familiar with the idea of computer hard drives and how they are used to store computer programs and data. For most users, this is enough information, but a forensic technician must understand the hardware components and how they work to save data. Looking at a hard drive extemally, you will notice that most standard hard
drives are no larger than a small book, yet they can store encyclopedic amounts of data. If you look at the top of a hard drive, you will usually see a nice shiny cover with a label affixed that supplies information on the hard drive's parameters.

lHandle with Care
iKeep in mind thot iby opening o hord ldrive, you destroy o I it, unless you ore I certified technicion.

If you turn the hard drive over, you will see a circuit board (otherwise known as the hard drive controller) that controls how the information is stored, transferred, and buffered. When you open a hard drive, you see shiny circular disks with read and write arms attached to a motor. No matter how closely you look, however, you will never see the 0s and 1s stored on those shiny platters because they are magnetically written and read. To understand how the hardware works, you must understand the geometry of how drives store all those 0s and 1s.

Platters
The platters of a hard

drive-the shiny disks mentioned above-can

be made

of

aluminum, ceramic, or even glass and are designed to spin at very high speeds. The platters are coated with a magnetic material of some type such as iron oxide that can be charged either negative or positive, which is how the 0s and ls are o'written" to the platters. A typical hard drive usually has more than one platter, and data can be written to both the top and bottom of each platter.

Heads
The read/write heads of a hard drive are the devices that can read or alter the magnetic signature on a hard drive. Every platter has two heads to be able to read/write both the top and bottom of the platter (see Figure 5.1).

Cylinders
To understand cylinders, you must look at the tracks on a hard drive. To visualize what a track looks like, think about how track athletes run in circles around an oval track in certain lanes. These lanes are the same concept as tracks on a hard drive. A hard drive platter has literally thousands of these concentric circular tracks.

6(

er"i"

Hard Drive

Technology t 59

FIGURE 5.1 Heads write to both the top and bottom of the platter.
Imagine looking at ahard drive with four different platters stacked one on top of the other from a side view, as shown in Figure 5.2. A cylinder is basically grouping the same tracks vertically through the stack of platters.

Sectors
The last part of what is called drive geometry is something called a sector.The easiest way to understand sectors is to think of a round cake. The way a cake is sliced in triangular pieces is the same way drives are divided into sectors. The common size for a sector is 512 bytes; however, never take that size for granted.

Locating Hard Drive Geometry lnformation
Remember that label affixed to the top of the hard drive? The information on this label contains the drive geometry required to install the hard drive in a computer. Additionally, the label will also have the pin assignments for any jumpers on the hard drive along with serial and model numbers. If this hard

FIGURE

5.2

A cylinder is a vertical grouping of tracks.

l60

CHAPTEB 5 I Data, PDA, and Gell Phone Forensics

drive does not have a label, you may have to resort to the Internet to find its exact specifications. The thing to remember about drive geometry is that new computers will automatically read the hard drive controller BIOS and insert the information into the computer BIOS. Also remember, a user can change the drive geometry settings and essentially create a custom-sized drive for which only that user knows the exact geometry settings. The three components that determine the size of the hard drive are cylinders, heads, and sectors, and as mentioned before, these can be modified by technically
adept users.

Hard Drive Standards
Now that you have looked at basic drive geometry you will look at the different
technologies used to connect the hard drive to your computer. As a forensic analyst, you will need to know how these technologies work and, more important, how they affect the way in which you access the data on a hard drive. The two most popular hard drive technologies in use today are enhanced integrated drive electronics (EIDE) and small computer systems interface (SCSI). Of the two, EIDE is the most widely used with a rate over 90 percent usage in the market today. The best way to identify the drive technology when looking at the hard drive (apart from reading the label) is to look at the ribbon connector on the back of the hard drive. The standard EIDE connector is 40 pins, whereas the SCSI connector is a 50- or even 68-pin type. The hard drive industry has created various standards that at best can be confusing and are often misunderstood. You may be wondering why if all these standards exist and work you should know them. The simple answer is that as a forensic examiner, you need to understand the basic technology you use to help you work your cases more efficiently and make you a more credible expert in the computer forensic field. The following standards are the ones you will most

likely encounter:

r r r r

ATA (advanced technology attachment). This is the umbrella standard for ATA-1 through NIA-7, which standardizes everything from connections to hard drive speeds. ATAPI (advanced technology attachment programmable interface). This standard allows devices other than hard drives such as compact
disk or tape drives to use

AIA

connections.

EIDE (the name invented by Western Digital but in reality the ATA-2 standard). Allows up to four AIA devices and is now used to describe AIA standards 2 through 5.
IDE (integrated drive electronics). This is the original ATA-1 standard and is no longer used. This standard supports only two drives, unlike
ATA-2 that supports up to four.

Common references to these speeds are listed as AIA33. The cables are not the flat ribbon type. ot"tstorage Technoogies t6t PIO (programmable input/output). Remember that label on the hard drive cover? On that label.d data between hard drive and RAM. from floppy disks to USB flash drives. and ATA133. there has to be a way for both devices to communicate via this one cable. ATA speed rating. This term refers to the speed at which a hard drive is capable of transferring data to the computer. Used in ATA-1 for transferring UDMA (ultra direct memory access). which means you can connect and disconnect these devices with the computer on. Floppy disks are now going the way of the dinosaur thanks to CDs. Master and Slave Configurations Because the AIA standards allow for more than one hard drive or device per cable. The controller on board the hard drive designated as the master controls both devices. some SATA drives are hot pluggable. FIoppy Disks A floppy disk works on the same principle . Other Storage Technologies Although you will probably focus most of your efforts as a forensic examiner on suspect hard drives. This new standard uses a more efficient serial hard drive controller interface to achieve speeds of up to 150MBps. DVDs. you will find the settings on how the pins are "shorted" to make the hard drive a master or slave. but many computers still have floppy disk drives and you may be dealing with floppy disks for several more years to come. Each rype of storage media has its own technology you must be familiar with to acquire data safely from it. you may also be required to examine a variety of other storage devices. The solution hard drive makers came up with is the master/slave configuration. ATAI00. AI|A66. SATA (serial advanced technology attachment). Most hard drives have a set of jumpers used to designate a hard drive as master or slave (or "carrier select"). If for some reason there is no documentation. and USB drives. The device designated as the slave device is set to allow the master device to assume control.g. the Intemet and the manufacturer's site are your best sources of information. Additionally. as a magnetic hard drive. and every drive is considered a master drive. Currently used to transfer data between hard drive and RAM for ATA-2 through ATA-5.

these disks have been replaced over the years and through a series of modifications by high-density 3. DAT uses a digital encoding scheme. in the 200G8 range. a floppy disk is a film of Mylar with a magnetic coating. The Mylar disk was encased in a plastic cover.5-inch disks that are enclosed in a hard plastic cover. . so you may find yourself unable to read a floppy disk. r DLT (digital linear tape). PDA. you will at some point and reliably. As the computer revolution goined speed ond .because the early I2-inch floppy disks were literally floppy. and you could actually flop it back and forth. The typical size of a DAI tape cartridge is 24GB. DLT has a larger capacity of storage. and CellPhone Forensics From a physical standpoint. run across tape backups that you need to examine. fhI first commerciolly ovoiloble B-inch floppies could store less thon l00KB. originol disks hod veiy iittle storoge copocity ond were reod only.technology improved. ond finoily to the lost truly "floppy" size of 5'25 inches. Because modern drives exceed this size by a wide margin. The reason floppy disks are called Jloppy is. Tape media is the oldest form of magnetic technology and is still widely used simply because it can store huge amounts of data cheaply The problem with tape media is that there are three distinct groups and each group requires a specific tape drive. and is incredibly fast and reliable. this type of tape system is being replaced more and more by DLT. you more than likely will not see this tape group very often. floppies shronk from l2 inches to l0 inches. This is one of the older standards and has a useful size of 2GB. Bear in mind that floppy disks are relatively unreliable in comparison to hard drives and CDs.162 CHAPTEB 5 I Data. fmmn*#rfu l* Sfu rsrxklrxg ffirmppies The lorge floppy disks mentioned obove were used to store doto for" eorl-y moi'niromes such os those monufoctured by lBM. Tape Drive Technologies As a forensic analyst. The following are the different types in current use: I QIC (quarter-inch cartridge). Unlike QIC. r DAT (digital audio tape). You are unlikely to deal with many 12-inch disks. to 8 inches. which uses an analog encoding scheme. Despite their size.

compact disk recordable (CDR). The basic physical structure of a CD is a spiral groove much like that of an old-fashioned vinyl record. Optical Media Structures unlike the magnetic devices covered in the previous section. and you will have to ascertain what type of CD format you are dealing with and what type of CD drive will read that CD. Basically. different CD types-CD. Single Session vs. Early CD technology was designed for audio and in fact was intended to replace vinyl records. In other words . the formats are completely different in logical structure. In addition to different physical propefties. Audio CD technology and data CD technology use the same basic techniques for storing data such as pits and lands.6{.44MB of a typical floppy. these drives can read previous 250MB and 100MB ZIP disks. CD manufacturers have tried to standardize formats so that most drives and operating systems can read different formats without much trouble. users were clamoring for larger capacity removable media. Iomega@ introduced a removable media device called the zrP@ drive. but they cannot write to a l00MB disk. As the forensic examiner. Multisession CDs Originally. Philips and Sony developed the compact disk (CD) technology in the late 1970s and released it to the general public in the early 1980s. Essentially. ZIP and Other High-Capacity Drives otn"t Storage Technolog es t 63 Before the introduction of USB thumb drives.5-inch floppy disks could hold only l. a single table of contents was used per CD because the CD was read only and could not be appended to or altered. The 3. other technologies such as IAZZ drives and SuperDisk follow the same basic principles of ZIP drives. Pits and lands are used to differentiate or create 0s and 1s on a CD platter. optical media use light from laser or LED sources to determine the 0s and 1s. however. all CD formats were single session in nature. too. CDs use a combination of chemical reactions and heat to create pits and lands depending on what type of CD you are using: CD-ROM disks use a diflerent technology than CD-RWs. and compact disk rewritable (CD-RW)-use different logical formats. a JAZZ drive will not read a ZIP disk. The first ZIP drive held 100MB of data compared to the paltry l. and it will be interpreted as either a 0 or l. Iomega introduced a floppy disk with much more capacity and reliability. you will eventually run across a CD written in a nonstandard file format or with a mixture of different formats. The main thing to remember is that you need to have the right drive to handle the removable media type. and user files were exceeding this size.44MB. For the most part. The most recent ZIP drives can work with disks that hold up to 750MB. you may need RW software on your computer to read a CD that hasn't been closed. In some cases. A laser will either reflect or not reflect offthe surface of the media depending on whether it focuses on a pit or land. .

You will read more about file systems such as FAI and NTFS in Chapter 6. USB drives have become inexpensive and commonplace among many in the computer field. With the introduction of high-capacity storage and the availability of writable media. square-shaped optical discs with a USB connector). Additionally. DVDs have ample storage capacity' The DVDs new Blue DVDs have storage capacities in the 20GB range and above. CD and DVD disks look exactly the same.type flash memory (or small. Physically. #*sfr*yrng #S ffiafa As o procticol motter for forensic recovery. Because these file systems are common for hard drives. and Cell Phone Forensics When technology improved to make it possible to write and rewrite CDs. With o good polishing. some suspects believe thot by scrotching o CD. A standard USB drive is literally the size of a person's thumb and can store gigabytes of information in NAND (NotAND). multisession CDs were introduced.164 CHAPTER 5 | Data. . the operating system views them as regular hard drives. the software drivers and DVD drive handle access to the file system and allow the forensic examiner to examine the contents of the DVD just like a regular disk drive. The file system used by USB drives varies. the USB system has become universal among computers. olmost ony CD con be mode reodoble ogoin ond doto extrocted from it. and by default your forensic software will see them as regular hard drives also. USB Flash Drives As memory chip prices have dropped. NTFS has replaced FAI as the preferred file system. they con moke the disk unreodoble. With up to SCn of storage space available. the internal file structures are considerably different. DVDs will become more commonplace to answer the need for larger capacity removable media. but the file allocation table (FAf) is typically used because most operating file systems can read this file system type. PDA. whereas the common CD writes to only one side. USB drives are also impervious to scratches that plague floppyand CD-type media in addition to being able to store larger amounts of data. and as a forensic examiner you must understand that not all CD drives will read multisession disks. however. so you may see storage capabilities in the DVD storage arena that rival hard drive capacities. DVDs can be written on both sides. but HFS and others are not uncommon. and you would be hard pressed to find any new computer without at least one USB port. A multisession CD has more than one table of contents written onto its file system. The only truly relioble woy to destroy CD doto is to destroy the CD itself. As with CDs. On larger USB drives.

RAM.) A small device such as a PDA or mobile phone has a miniaturized keypad that allows the user to literally type a letter or e-mail almost as if using a normal sized keyboard (see Figure 5.orul Digital Assistant Devices (PDAs) t 65 Personal Digital Assistant Deyices (PDAsl Personal digital assistants (PDAs) have rapidly become commonplace in both personal and business arenas. send and receive e-mail. Depending on the manufacturer of the PDA. . Obviously this is not a perfect solution. IR. and a way to input data either via QWERTY keypad or touch screen. there are five major PDA operating systems: r r r I r BlackBerry Open Embedded (Linux) PalmSource (Palm OS) Symbian (Psion) Windows Mobile (Pocket PC) FIGURE 5. User data is kept in the RAM sect!_q4_of_tle deyice and.3). The typical PDA can be used to keep up with appointments. and even surf the Web. up to 128MB of RAM can be accessed and up to 64MB of ROM can be used for the operating system. but they do work once you get the hang of them. As of this date. The newest generation of PDAs comes equipped with wireless capabilities such as WiFi.6( R"r. (The term QWERTY derives from the first six letters in the top letter row of standard input hardware such as a typewriter or keyboard.-isteft active b"y-the-use-ef+atteries. ROM. Most ROMs found in PDAs are the flash type and thus can be rewritten multiple times. because most QWEMY keypads have keys only a 5-year-old can use easily. and Bluetooth. This data is thus vulnerable to erasure if power is disconnected for any length of time. The modern PDA comes with a microprocessor.3 A QWERTY keypad.

and memorandum capabilities. no matter how small. Gellular Phones The line between PDAs and cellular telephones has become somewhat blurry these days. however. Extended message service (EMS): Used to send formatted text messages. appointments. make sure to thoroughly examine the area surrounding the computer for any external storage devices. Instant messaging (IM): Used for real-time text conversation ability between mobile devices. mailbox. The capabilities of modern cell phones include: r r PDA functionality (PIM scheduling and e-mail) Text messaging via r I r I r r r r r r r Short message service (SMS): Used to send simple text messages between cellular phones and even land lines. because most PDA devices are synchronized with a computer. PDA. and even animation. Multimedia message service (MMS): In addition to text. whjch provides basic functionality with address book. The data used in the PIM modules resides in the PDA. the service allows video and audio clips to be sent between cellular phones. the PIM data can also be extracted from the computer after synchronization occurs. When collecting evidence. Single photo and/or movie video capable Phonebook Call logs Subscriber identity module (SIM) Global positioning systems (GPS) Video streaming Audio players . The last thing to consider with PDA devices is that they also can include external storage devices such as Compact Flash.166 CHAPTEB 5 I Data. and the newest cellular phone products in the market actually have their lineage based on PDA architectures. and Gell Phone Forensics All PDA devices come with personal information management (PIM) software. The new cellular phones are basically low-end porlable computers. pictures.

Drive and Media Analysis In the previous sections. it becomes o 3. 2006lr. K790 Cybershot phone. unique character makes it easy to demarcate the extent of any data you copy to your media. with 300 megahertz processors. al Qaeda. Sony Ericsson's new comero phone. offers relotively fost Web browsing ond e-moil on the GSM network. and so on that you needed computer components such as floppies. hard will need for this investigation. o Xenon flosh.iu"and Media Analysis 167 The latest cell phones have up to 64MB of RAM and up to 64MB of ROM. The forensic community as a whole has focused on the computer and network forensic field and is just now beginning to see the type of data that can be retrieved from the latest cell phones. The list below reviews and summarizes those procedures. e-moiled to your personol blog. . . er. r I Wipe all media you plan to use and use a standard character during that wipe.2-megopixel -ond Cyber-shot digitol comero with outofocus.s number-three man was caught in Pakistan simply because the cell phones al Qaeda was using were being tracked by the information assigned to the cell phone via the subscriber identity module (SIM).E{ o. or tronsferred to o printer vio Bluetooth or USB" (Lewis. you have studied the basics of the hardware you are likely to encounter. When flipped over. so these mobile devices have plenty of room. they also have plenty of processing power for the use they are designed to handle. Chapter 4 discussed the general procedures an investigator must follow to prepare for forensic examination. Using a standard. As an example. Now you will begin look at the forensic analysis of each of these technologies. o feoture colled BestPic. For exomple. which tokes o series of nine ropidJire shots by pressing the shutter button. the flosh is hondy becouse o lot of comero-phone photos ore token in bors. "The pictures con then be blockmoiled. According to reviewers. Assemble all drives. fff*r* S*mfcrre-ffiicf* Cedl Fflcrx*s New phones were disployed ot the CTIA Wireless 2006 trode show in Los Vegos thot ronged from simple hondsets for moking voice colls to foncy phone-shoped computers thot receive television iignols.

but remember that any time you move the mouse or disconnect a cable you are making changes to the computer system. Bit-Stream Transfer As discussed in Chapters 3 and 4."rr"rr. and otherwise inventory the computer equlpment and surrounding environment on which you are performing the forensic analysis. Document the process of how you acquired the forensic image from the suspect computer via bit-stream or disk-to-disk image' Document the chain of custodY. have shut down the computer. You can then restart the computer. down' powered was wtuld have been difficult for the hard drive to boot after it . you must prevent the hard drive from booting when you restart it to make the data transfer. will usually have minimal files or dozens have you may where selver as a and will not be affected as severely is servers with trade-off The even hundreds of users accessing at the same time. The main reason you power down servers will usually have open files or datathatcan be damaged if the power is suddenly open disconnecied. A workstation.. Acquiring Data from Hard Drives After you have prepared the target media and assembled all the forensic tools you need for thii investigation. entef the BIOS setup. and change the boot order so that the computer boots to a floppy or cD. your job is to make an exact copy of a suspect's system and to be able to prove you have not made any changes to the computer system in the process. and Cell Phone Forensics r I r r Document. opening the case. Each method has pros and cons. Document your methods and reasons for conducting the investigation. As you learned in and physiChapter 4. but the bit-stream images generated from disk-to-image transfers are the easiest to work with. At face value. yort first have to decide onsite whether to disconnect the computer from its power source or perform a system shutdown before you start the disk duplication process' The but simpte rule is that you disconnect or pull the power plug on everything a server because is simply . you do this by unplugging the computer. all with As that you will alter some data when you shut down in this fashion' things forensic. this may seem easy.t 68 CHAPTER 5 I Data. you must make the judgment call whether you will chance damaging data or risk changing possible evidence' At. yo. T1e next consideration is whether to do a disk-to-disk drive image or do a disk to bit-stream image. As a forensic investigator. remove made' the hard drive from the boot sequence and save the changes you have that it proven essentially you have By doing this and documenting your work. PDA. photograph. by contrast. you are ready to make an image or exact copy of the suspect drive. cally disconnecting the hard drive. If possible.

you essentially just let the software handle the write blocking. The two hash results should be identical and thus prove the suspect drive and your image are mathematically identical. Once you have your bit-stream copy and have hashed it. you must document as much as possible. Keep in mind that if your hash values do not match. and file evidence. The operating system reports the write was successful. you need to make another copy of the duplicate. as detailed in Chapter 4. and as a general rule try never to touch the actual suspect drive more than once. Because these tools have been around for some time. Boot the suspect computer with the bootable media and proceed to do a bit-stream image transfer. Bear in mind that tools such as Ilook are used by law enforcement only. a court of law can and more than likely will disallow that evidence from being presented because the copy is not an exact duplicate ofthe original. At this point. Encase@ software and FTKrM use software write blockers. whenever a system call is sent to the controller to write to the hard drive. Now that you have a working bit-stream image. but the data is never written to the hard drive. you should have a bootable floppy or CD ready for whichever forensic tool you will be using-EnCase software. When you are in the BIOS system. Most forensic software has the ability to generate a one-way hash of the suspect drive and of your bit-stream image. It is basically automatic. they include automated searches for information such as e-mail. Just make sure you use one. You can choose to work on the image itself using the built-in tools of applications such as llook. use a software write blocker or hardware drive blocker. whereas EnCase and FTK software are used both by law enforcement and private interests. lf you use a write blocker that is built in to the application such as the Encase software. or any other tool. it is also handled automatically except that you will be plugging hard drives into the device and must have a basic knowledge of hardware such as SCSI and EIDE connections. EnCase. or FTK software. make sure to document the following: r t Time and date as shown in the BIOS The boot order as shown in the BIOS As fuither insurance against inadvertently writing to the suspect computer system. FTK. you have several options available to you as a forensic examiner. A write blocker works in a simple fashion. but you can also use hardware write blockers such as FastBloc. This second copy is the working copy you should use for your analyses.g{ Or'r"and Media Analysis 169 Remember. If you use a hardware-based system. To ensure that . you must wipe that drive to ensure a clean drive is used. chat. If you restore an image to another hard drive. the write blocker (either software or hardware) intercepts this call and reports back to the operating system that the write was successful. Store your original in a safe place. You can also restore this logical image file to ahard drive and work on the hard drive as if it were in the suspect's machine.

In concept. Floppies and tape are especially notorious for losing data when you need it the most. Once you have the second copy imaged. If you notice a ZIP drive on the system. Disk-to-Disk Imaging The second method used to acquire a disk image is to do a diskto-disk acquisition. and removable media within a 2}-foot radius. In addition to this. and the type ofreader required. A good rule of thumb is to document everything within reach of the person using that computer. Place all removable media in a static-proof container. then by deduction you should also look for any ZIP disks. The following checklist is useful for handling removable media: r I r Document the scene. To this end. all datatransferred must be identical in both the source and target hard drive or storage device. Because you are doing a forensic copy.l7O CHAPTER 5 | Data. Equipment such as Logicube's Talon system is a hardware-based forensic acquisition device. you are literally copying one hard drive to another. where the media were found. removable media are not as stable or robust as a standard hard drive. PDA. books. because it is a hardware device and does the transfer directly. however. Make one copy of the original evidence and then make a second copy from the first copy to use for the actual analysis. write a unique character across the entire hard drive. and any changes made during the transfer would be inconsequential. As noted before. Investigators can deduce many things by simply looking around a suspect's work area. This includes all peripherals. The term bit-level copy is used to explain that you are literally copying every single bit on the original drive from the first sector to the last sector on the storage device. By their very nature. you would just do a regular disk copy of the entire drive. and Cell Phone Forensics you have wiped or cleaned the drive properly and to demarcate where the image restore ends. The device has a multitude of capabilities. and tape are handled in much the same way as hard drive media with a couple of added precautions. . In a nonforensic situation. special precautions must be used to ensure that no writes are made to the original suspect storage device. including taking pictures of the subject computer and its surrounding environment. CDs. but its core function is to transfer data from one storage device to another and to authenticate that the data has not changed. the process of analysis is carried out in the same fashion as other investigations. the transfer speeds are somewhat higher than software-based forensic tools. Label the container with the type of media. Acquiring Data from Removable Media Removable media such as floppies. you should document all aspects of any forensic investigation.

They should match exactly to prove you have not changed anlhing on your image copy. but this is generally not the preferred method. Once you have the image done. there are different drive types. Do not leave any media in a hot vehicle or environment.gd Or'r"and MediaAnalysis l7l r I I Transport directly to lab. After this is all done. Once you have control of the media in your lab. You generally do not have to worry about writing to CDs because they are usually read only unless you use a bumer. will not read CD-RW media because the material used 'in the CD does not have a sharp enough contrast for that particular drive laser to differentiate the pits and lands. however. Store media in a secure and organized area. or memory cards. make an image of the removable media or even a set of removable media. For common media such as floppies. Using whichever forensic tool you prefer. make a duplicate working copy of the image and put away the original image in case you need to access it. The process depends on the type of forensic software used.) The first step is to make sure the media is write-protected. the best solution is to use the write protect tabs available on all tape backup media. you will notice that density and tape capacities are radically different for different systems. store the original media in a secure and organized place. Keep in mind that many tape backup systems may appear to use the same type of tape simply because physically they look the same. the next step is to make a forensic duplicate and a working copy of the media. Most forensic software will view external media such as tape drives as just another drive. Floppy disks have a write protect notch you can use to make sure no writes are done to the floppy. you should make sure you have the correct hardware to read the type of media you are going to work with. For example. Acquiring Data from USB Flash Drives USB drives may seem a little different to forensic examiners at first. for example.drive ustng a EAIfile system. Remember that for CD media. The most imporlant thing to do when making this image is to make a hash to document both the hash value of the original and the hash value of the image. Once you have made sure the media is write-protected the next step is to acquire a forensic image of the media. At this point. As with all other eiaminations. (If you need to use the suspect's equipment. ZIP drives. For tape backups. a floppy disk will require a floppy drive. so acquiring the image will be the same as if you were acquiring a hard drive. If you look closely. and that may affect how you are able to get an image off that CD. but they logically appear to most operating systems as a regular hard. you can use the suspect's equipment to read the media if you run across a unique situation. but the same principles used to make a forensic copy of hard drives apply to removable media. you must first set a write protect . you should have these types of devices in your lab. If necessary. you can remove the device from the suspect computer and use it on the forensic platform. Certain drives.

. Joe wos o diligent bookkeeper. Bear in mind that this is a rare occurreiide. and Cell Phone Forensics I method in place to keep from writing to the USB drive. Most USB drives come with a physical switch of some type to prevent writes to the drive. ond on iPod. your forensic softrvare will interact with the USB drive just like a regular hard drive. a usB drive uses flash memory (memory registers) to store information. remember that USB drives also configure themselves automatically when plugged into a PC and thus may make some changes without the examiner's intending to. The investigotor knew thot iPods hove feoturei thot PC hord drives do not. but the bonk records showed no such'deposits. PDA. Most operating systems will view the USB drives as a regular FAI hard drive and query the USB controller chip just as if it is querying a hard drive controller.remembered thot Joe hod kept on iPod on his desk ond brought o loptop to the office so thot he could toke work home. Aher the investigoting officer obtoined o seorch worront for Joe's residence. The investigotor keoted the iPod like ony other externol hord drive by imoging the iPod's hord drive first ond using the copy for onolysis. " Next. Internally. If you do not find any physical switches on the device. The police were colled in to investigote further.the owner. the police ond o teom of forensic investigotors went there ond seized severol computer systems. forensic investigotors found no evidence ogoinst Joe on ony of his computers. the manufacturer may provide software that accomplishes the write protection.172 CHAPTEB 5 Data. For exomple. ln the lob. but it Can happen when you are dealing with a device that requires device drivers to work. A review of the fees reveoled th-ot they weredeposits mode into Joe's occount thot totoled hundreds of thousonds of dollors. the new bookkeeper noticed thoilhelompony hod poid o smoll bonk fee with every tronsoction during Joe's tenure. After he retired. the iPod . For l5 yeors. The information is literally stored as a series of on and off sequences in the memory registers of the USB drive. Once Joe's prior octions becomL suspect. o series of externol hord drives. Because the operating system treats the USB drive as a regular drive. The only problem with that solution is that there is a chance of a write occurring on the examiner's computer before the software has a chance to lock down the USB drive' In addition to this. the iPod wos onolyzed.

to restrict physical access while it is still sealed in the evidence bag. the octuol iPod operoting system) 'the informotion for iPod opplicotions. if already off. t". If the battery dies or the power adapter is unplugged you will lose all user data. This evidence showed thot Joe hod been updoting his records eoch time he. Palm oS and Pocket PC. The Excel spreodsheets contoined detoiled reports of eoch tronsoction Joe mode. PDA Analysis The area of PDA forensic analysis is a more specialized area than personal computer forensic analysis. unlike most PC examinations.led money from the compony. which oppeored to his emproyer to be nothing more thon o portoble iukebox. The paramount consideration when dealing with a PDA device is to make sure power to the device is not interrupted. . the investigotor noticed thot Joe's 4oGB iPod wos configured with two doto plrtitions: one 2oGB portition to hold music ond onother 2oGB portition to store doto files.acpo. The majority of PDA forensic tools available are tailored for the two most popular PDA platforms. After imoging the drive. ond oddress book. The Association of Police chief officers (APCo) offers these guidelines (which can be located at www.asp) for seizing pDAs. The evidence token from the iPod helped convict the bookkeeper.Jnod then soved the file to his iPod. like o PDA. seporote portition thot will contoin firmwore settings for the device (thot ond oiplicotion -is. spreodsheets. contocts. which showed oll the files on the drive thot held the doto files.6{ :L =onAnarysis 173 creqtes o. nofes. o colendor. PDA examinations deal with a device that has a very volatile memory configuration. includiig colendor. the bookkeeper used over the yeors.embez. Th-is directory listing reveoled Excel ond Word documents.police. The PDA should be placed in an envelope and the envelope shourd then be sealed before being put into an evidence bag.uk/policies. The i.nvestigotor ron o directory listing. You will learn later in this chapter about tools used to forensically examine a PDA and how each tool works. including time ond dote of deposit. r r On seizure. ond notes. The amount and types of forensic tools available for the examiner are few and not as sophisticated as their counterparts in the PC world. iPods con olso function os o PDA. os well os o record of eoch occount nrmbe. the PDA should not be switched on. with documents. which contoined doto criti-col to the investigotion.

or CompactFlash (CF) semiconductor cards.g.. Any power leads. documenting the current device state. and USB tokens. consideration should be given to switching off the PDA to preserve battery life. how wos the e-evidence collected ond where wos it locoted? Who took possession of it? How wos it stored ond protected while in storoge? Who took it out of storoge ond whY? After the pov/er issue. . If sufficient power cannot be supplied. such as Secure Digital (SD). If the PDA is switched on when found. you can either turn offthe device or transport it via an isolation bag (a Faraday bag) used to keep out radio frequency (RF) signals. microdrives. To avoid this situation. wireless connectivity is the second issue that must be considered when seizing a PDA. Anyone handling PDAs before their examination should treat them in such a manner that gives the best opportunity for any recovered data to be admissible as evidence in any later proceedings. by tapping on a blank section of the screen) and supplied with power until an expert can examine it. MultiMedia Card (MMC). ond ossocioted peripherols? How ond where? Thot is. documentotion of the choin of custody throughout the lifecycle of o cose involving o PDA should onswer the following questions: r r r I r Who collected the device. A search should be conducted for associated flash memory devices.174 CHAPTEB 5 I Data. the appropriate power adapter should be connected to the device with the cable passing through the evidence bag so that it can be kept on charge. or cradles relating to the PDA should also be seized as well as manuals. "Guidelines on PDA Fore-nsics" (2004). Newer PDA devices come equipped with wireless capabilities and may transmit/receive signals that will alter the evidence. . PDA.P&& #fumfr* exf #exsf*#y According to the NIST's Speciol Publicotion 800-72. cables. medio. to avoid the consequences of activating security mechanisms such as user authenti- cation and content encryption. and Cell Phone Forensics Where the PDA is fitted with only a single rechargeable battery. the device should be kept in an active running mode (e. and noting the time and date of the shutdown.

Modern cellular phones have RAM. today's cellular phones have much in common with the PDA devices in the market. a forensic examination normally must be done on a device that does not have any security or authentication mechanisms enabled. Search the Internet for known exploits for either exploit that goes around the password. Using physical and logical acquisition techniques ensures that you capture all the data. The following list should serve as a guideline when you encounter this situation: r r r r Ask the suspect what the password is. ROM. you have very few options for dealing with it. The second part of the investigation focuses on the SIM card and all the information found there. have it in a logical format. To get to the point of being able to connect the forensic examiner's software to the suspect's PDA requires a physical connection of some type. a PDA can be examined either physically or logically.6ad C"lt lu. other forensic tools can use the protocols built in to the PDA such as HotSync or ActiveSync and use cables specially designed for PC to PDA acquisitions. This has the advantage of copying every physical bit. and have the ability to compare images for obvious differences. If you encounter a device that has a password or security device enabled. or disk drive. and something PDA devices do not have: a SIM card. When you have to do a forensic examination of a modern cellular phone. . you have to break the investigation down into two very distinct components. ROM. but leaves out areas considered to be empty or nonexistent. such as files and directories. contact the manufacturer for backdoors or other useful information. The first component is the acquisition of the physical memory associated with the PIM aspects of the cellular phone. a password crack or an Call in PDA professionals who specialize in data recovery. The physical acquisition method is the acquisition of a bit-by-bit copy of the physical parts of a PDA such as the RAM. memory cards. Just as for a storage medium. The best method to use for a PDA forensic examination is both. Encase software will work best in this fashion. Cellular Phone Analysis As mentioned earlier. as is the case with Paraben@. A logical acquisition copies only what the operating system can see. Phone Analysis 175 As mentioned before. which in turn means you are copying potentially hidden or deleted information. The best solution is to use the cradle the PDA comes with and use the USB port to transfer the data across.

a SIM card has between 16 and 64KB of memory a processor. which basically means the SIM card with the latest generation phase has more capabilities than earlier generations. You have two main options for disabling the PIN: ask the user. A consideration you must also be aware of when dealing with cellular phone SIM cards is the phase of the standard they can support. you will be permanently blocked from access to the SIM. you must be able to get past the authentication before you can begin your examination. As with all forensic examinations.the sellular phone netw-ork. A SIM is usually protected by a PIN or c-1rd holder verification (CHV) number and can have more than one number set. The physical aspects of connecting to the cellular phone vary depending on the type of cellular phone and the type of forensic software you are going to use. and phase 3. you have to disable or work around the PIN authentication. SIM cards can be removed from the cellular phone and placed into a special SIM card reader and the information extracted rather quickly.5. PDA. If the user has enabled one or both PIN authentication features. text messages. and network configuration information for the user and not necessarily the phone. Physically. and even then you may have to use more than one tool to extract every piece of information. To further complicate matters. On the off chance that you use the PUK and still cannot get in. and Cell Phone Forensics The primary function of a $IM-c4rd i-s to idgntify the subsgrllg1 and authenticate the subscribgl to.176 CHAPTER S I Data. so we will now look at SIM methods of authentication. the phase generations in the field are phase 1. and you have unfettered access to the SIM. The PUK will reset the PIN and allow you past the authentication' A very important thing to remember is that most SIM cards allow only three attempts to get past the PIN before you are locked out. the PIN will not be set by the user. In other words. you will have to do this with both the PIM and SIM devices. serious consideration you must anticipate is that the user may have some form of authentication enabled on the cellular phone. Most modern PIM/SIM cellular phones come with a cradle that is designed to synchronize with the user's computer. phase 2. If you are lucky. Because we afe dealing with cellular phones. and an operating system. Currently. The tools used to display or extract this information must be up to date to work with the newest generation of SIM cards. a3tVf Card usuallycontains the phonebook. do not attempt to brute force the PUK. Much like the PDA device scenario. if the PUK fails. the software used to extract the information from the cellular phone must have complete access to extract an image correctly. there may be multiple forms of authentication because you are dealing with a PIM and a SIM. These cradles usually come with a USB connection but sometimes A . call information. or ask the service provider for a PIN unblocking key (PUK).phase2. We have covered the basics of personal information manager (PIM) authentication in the PDA section. In addition to this. unless a personal identification number (PIN) has been assigned as a security precaution. After a predetermined amount of tries. you can do a physical or a logical acquisition of the device.

. The SIM cord wos exomined ond text messoges were exkocted. Bluetooth. Guidance Software Guidance SoftwarerM forensic tools are considered by many to be the gold standard in computer forensics investigations. but only a few products on the market today can extract a forensic image and generate a detailed report and have been accepted in a court of law.178 CHAPTER 5 | Data. ond he dropped his cell phone in the process. The software discussed below is by no means the extent of the tools available in the market today but is a small list of the software that has been vetted by many in the field. or IR)? Type of data you want to acquire? Once you have the forensic software connected to the device. and Cell Phone Forensics r r Connection type (USB. PDA. At this point. The biggest plus for Guidance software is the fact that the GUI interface makes this software very intuitive. you follow the regular procedures to obtain a bit-stream copy of the device and generate hash values to prove the integrity ofthe data. new tools come on the market very frequently purporting to do forensic images and reports. The otherplus is the fact the search features and functionality of the software make the job of a forensic investigator much easier in the sense that many of the common searches are no\M automated. The suspect entered o home thot hod two young girls inside. ln some of the messoges. which helped detectives locote his residence. The suspect ron owoy ofter the girls storted screoming. A child molester wos cought with cell phone forensics. The software has been accepted by courts around the world and is used by most major law enforcement organizations around the world as well. Disk lmage Forensic Tools The tools used to create a forensic image of hard drives and other storage devices have been around for some time. the suspect wos referred to by nome. Depending on the forensic software capabilities. you can now do searches for evidence and generate reports detailing your findings.

however. OS X. Lood the lotest version of the Mocintosh operoting system. Paraben offers the same functionality of the EnCase software with a slightly less intuitive feel. .ogicube uses a hardware-based philosophy to acquire data images and has partnered with AccessData to round out their computer forensics offerings. paraben has tools ranging from e-mail forensic work to password recovery. An iPod con be configured to be o forensic tool by performing following steps. The software tools offered by Paraben are GUI based and fairly easy to work with once you get the hang of them. In addition to the software tools. once you learn the software completely it is one of the most useful forensic tools available commercially. Choose o check box to select "Use os Hord Disk. Conligure the iPod os on externol hord disk by using o built-in configurotion tool. As with paraben. 1 the . FTK FTK by AccessData is a highly regarded GUI forensic tool. and FTK's ability to generate detailed reports is also quite good.ro lmage Forensic Toots 179 Paraben@ takes a divide-and-conquer approach to computer forensics in that they have developed specialized tools for different types of searches. Logicube I. Paraben also has hardware forensic tools such as Faraday bags and SIM USB readers. 2. Logicube has developed some of the most reliable and quickest hardware-based tools to extract images from hardware devices." The iPod itself is used os the investigotive tool. Get the lotest version by running o softwore updote utility thot outomoticolly checks the version instolled ond disploys oll ovoiloble upgrodes. The search functionality is impressive. the initial feel of FTK is not intuitive.6( Paraben Software ol. Retrieved doto is stored on o seporote externol hord drive. With the introduction ofAccessData software. Logicube has essentially taken the best of both hardware and software forensic tools and combined them into very impressive computer forensic kits.

" This feoture of OS X provides plug- ond-ploy functionolity so thot when onother device is plugged in. Configure the iPod os o forensicolly sound system so thot when it is connected to o suspect computer it does not write to the drive ond contominote ony potentiol evidence.t 80 CHAPTER s I Oata. These home-grown tools may be the only way to transfer or examine data from a PDA. Because the line between PDA and cellular phone is not always clear. 4. Becouse this process con olter potentiol evidence. so you may have to use more than one software tool to get all the information you require from one device. The following sections cover some of the most commonly used PDA examination tools. PDA. The tools used for this type of forensic work are only just beginning to mature simply because PDA/cellular phone devices have only recently become essentially low-powered computers. Even some deleted doto con be found using these soffwore progroms. Some of the GUI tools are fairly easy to use. and those tools tend to be specialized. Turn off "disk orbitrotion. PDA/Gellular Phone Forensic Softurare The newest field in the computer forensic world is the PDA/cellular phone field. 5. but they should be tested extensively and by third parties to make sure the data does not change. . and Cell Phone Forensics *F 3. some of the tools in the next section will work with one device but not another. Tools for Examining PDAs There are a limited number of tools used for PDA investigations. while some of the command-line tools require some expertise in command-line gymnastics. Some forensic examiners prefer to use their own tools or tools that have not been vetted in a court of law. this function needs to be disobled through o set of commonds. Equip the iPod with softwore tools used to exomine ond onolyze systems for potentiol evidence. it con oulomoticolly be seen ond recognized. The investigotor uses the forensic sofiwore to quickly preview or imoge Moc syslems using only the iPod ond o smoll externol hord drive on which to store the imoge.

Encase software has the added ability to generate extensive reports. has great search functions. The EnCase application creates what it calls an evidence file (a file with an extension . Because EnCase software uses a software writeblocking technique and can hash the data. In other words. pDA Seizure guides you through the acquisition process. thus affecting any hash value done. PDA Seizure also has the incredibly nice feature of being able to crack palm passwords and eliminate that barrier to doing a forensic examination on a Palm OS. PDA Seizure has a complete set of tools to work on the image that include: r I Multilanguagesupport Search functions . the software ensures there are no writes to the PDA and also ensures the data integrity of the image being transferred. hashing an image will yield dif- ferent results from one second to the next simply because the time stamp has changed. once you have the hardware hooked up using USB or pDA specific cables (Paraben sells cables just for PDA forensic acquisitions). or BlackBerry devices. Pocket pc. Another advantage to using this program is its excellent reputation and frequent use in numerous court cases. At present. For example. The CRC checks are mathematical algorithms that check to make sure the data transmitted from the original computer is the exact a Palm Encase and Palm oS software In addition to standard personal computer acquisitions. Encase software has the ability to examine palm oS devices. Bear in mind that a pDA stores the majority of the user data in RAM and that the date and time functions change on a continual basis. PDA Seizure is extremely easy to use and very graphical in nature. it will be looking for a serial por1. you will have to install the BlackBerry device drivers for the forensic software to open the USB port to do an acquisition. issues of data corruption or modification are eliminated.gr{ =O*""lluiar Phone Forenstc Software l8 t oS device and perform constant cyclic redundancy check (cRC) calculations to ensure data integrity. Linux. and BlackBerry devices. Encase software does not support pocket pc. Because PDA Seizure cananalyze various pDA devices. you as the forensic examiner will have to have a good supply of device drivers for the various models of PDA devices. paraben's pDA Seizure can do forensic examinations on Palm oS. otherwise. and can save (bookmark) important datafor the examiner. Encase software can do a bit-stream copy of the entire physical area of same data that was received on the target computer.e0l) and mounts it virtually on the examiner's PC. once the image has been transferred. PDA Seizure Unlike the Encase software.

POSE (Palm OS Emulator) POSE is a software program that emulates the Palm OS device on a personal computer when the ROM from a physical Palm device is loaded into memory. you run the command pdd and acquire the physical bit image. and OS version. Once you have the physical hardware installed. Once you have the emulator working. The dd utility is primarily used to do low-level bit-level copying of storage media and has been adapted for use with PDA devices. The second file contains the bit image and is in binary form. Pdd does not have any graphical user capabilities at this time and in fact is no longer supported. The POSE software comes with a tool to extract the image from the Palm device. you can explore all the PIM functions in the PDA such as the address book and task list. processor type. you can use a hex editor to parse the file or import the file into another tool such as EnCase software to complete the examination. Keep in mind that this software is primarily used to test ROM images without having to use a real Palm device and only works with Palm OS version 4. Once the ROM image is in place. you can also use Palm dd (referenced above) or even regular dd to extract an image. The original use of the dd command comes from the LrNIX operating system. the hardware required for this type of acquisition is the Palm device cradle and a USB cable. so the possibility of pdd's becoming a GUI tool is fairly remote. Because you are working with only Palm OS devices. The first file contains data on the size of RAM/ROM. however. and GellPhone Forensics I I I Bookmark functions HTML reporting Ability to view images internally Report generation r Palm dd (pdd) Palm dd (pdd) is a command-line tool used within a Windows environment to acquire the physical image of a Palm OS device. pdd generates two files for the forensic examiner to work with.182 CHAPTER 5 I Data.x and below. PDA. . POSE completely emulates a real Palm device down to the buttons andIlO functions. A shortcoming of pdd is that it does not have the capability to generate a hash of the Palm OS device or the image file. the more useful aspect of using this software is the fact that you can generate screen shots ofthe Palm device desktop for either report appendices or court of law proceedings. In fact. however. Once you have the binary file loaded on the examiner's computer.

what a pDA usually comes with are memory cards. the memory card will look like an ordinary hard drive. Most high-end laptops and desktop computers now come equipped with these card readers. To most forensic software applications. only a few software companies have come out with a forensic software package that can work with both aspects of the cellular phone forensic analysis. Most cards on the market use a form of flash memory similar to USB drive technology but on a much smaller scale with storage capacity ranges from 8MB to over 2GB. Because this part . the power requirements of uSB drives tend to make them impractical for PDA devices. These memory cards do not lose data when the power is disconnected and can be a great source of information for a forensic investigator. As of this date.6{ PDA Memory =ONC"liular Phone Forensic Software I83 unlike personal computers. Table 5. the hardware you need may already be built into your forensic workstation.1 breaks down the tools by PIM/SIM. Tools for Examining Both PDAs and Cellular phones Parabent Device Seizure and Logicube's cellDek have the most comprehensive sets of tools for both PDA and cellular phone analysis. Tools for Examining Gellular Phones The tools used to acquire information from cellular phones vary widely simply because at this time there are effectively two devices contained in a cellular phone: PIM and SIM. the most prevalent file system used on these memory cards is the FAr system. in fact. you need an externar card reader of some type. pDA memory storage devices normally do not include USB type devices. These cards vary in size from a single postage stamp to a book of stamps and usually have an external card reader for use on a regular personal computer. so if you shop carefully. Aside from the inconvenience of having a relatively large piece of plastic and integrated circuit sticking out of the side of the device. The following is a list of common flash memory cards: cards r r r I r r Compact Flash Cards (CF) Extended Memory Cards (EM) Memory Sticks (MS) MicroDrives (MD) MultiMedia Cards (MMC) Secure Digital Cards (SD) To do an examination of these memory cards.

and lR lnternal SIM Forensic SIM External acquisition SIM acquisition acquisition Cable External Card Reader External card Reader Cable. Pocket PC. Bluetooth. TDMA. Bluetooth.1 Forensics tools that can be used on cellular phones. updates for new devices as they come out that will work with their tools. companies such as Paraben and Logicube are beginning to offer comprehensive tools and. Bluetooth. acquisition acquisition TULP 2G lnternal SIM and lR of the forensic field is still evolving rapidly. more important. Forensic card Reader External slM GSM. As this part of the forensic field matures. and lR Supports GSM. and CDMA phones MOBlLedit! Oxygen PM Forensic GSM phones GSM Phones Cabte Palm OS. Cell Phone Capable CDMA phones Cable Cable. and Gell phone Forensics TABLE 5. you can get tools specifically for certain devices and essentially cherry pick which tools you will use for certain devices.XRY MOBlLedit! lnternalslM lnternal SIM acquisition and lR Forensic acquisition External SIM acquisition External SIM Cable and lR External Card Reader External Card Reader Cable. . and BlackBerry phones TULP 2G phones GSM and CDMA phones Palm OS Cable Cable. Bluetooth.184 CHAPTER 5 I Data. PDA.

Figure 5. Paraben Corporation.6{ eoNc"llular Phone Forens c Software t 85 Paraben Software Paraben's Device Seizure is one of the few tools that combines both cellular phone and PDA forensic acquisition capabilities.4 shows a typical search using Device Seizure.com. The software is GUI based and resembles the rest of paraben's stable of forensic tools. Several drivers are included in the Paraben installation. www. FIGURE 5.4 Carrying out a search using Device Seizure.parabenforensics. once you are into the analysis part of your investigation. The investigator will normally have to use all the cradles and cables the PDA or cellular phone has and fit them to whatever forensic platform he is using. Device Seizure has the ability to do text and hex searches of the forensic image. . Source: Paraben's Device Seizure Software. but the operating system of the computer forensics platform will also need specific drivers such as ActiveSync or HotSync to function. The extraction of the forensic image is done much the same as with any other forensic examination with the exception that you are usually dealing with volatile data and must keep power flowing to tle device or risk losing the data.

The touch screen shown in Figure 5. The software used by Logicube has the standard searches and report capabilities other forensic tools have and is completely GUI based for ease of use. PDA.5 CellDek forensic computer. This device is actually a small forensic computer (the size of a small piece of luggage) with forensic software specifically designed for PDA and cellular phone image extractions. The tool also has the capability to extract images via Bluetooth. and WiFi in addition to regular cable extractions.6 eliminates the need for a mouse.t 86 CHAPTER 5 I D"tr. As with most other computer forensic tools. Logicube has introduced a hardware device it calls the CellDek (Figure 5. and Gell Phone Forensics FIGURE 5. IR. The support for the CellDek is such that as new drivers are released. Logicube . Device Seizure has reportgenerating capabilities to help the forensic investigator orgatize the evidence found into a logical and cohesive format.5). What sets this tool apart from others is that it comes with most adapters used by PDA and cellular phone manufacturers. Logicube has applied their hardware-based philosophy to the mobile computer forensic field. Logicube updates the CellDek to keep up with those drivers.

Some guidelines for data acquisition are the same for any device. Your job as a forensic investigator may also require you to know about data from PDAs and cellular phones. In this chapter you covered the basic media types and devices that you will encounter when doing a forensic examination. such as the importance of maintaining power to a PDA to avoid data loss. You are most likely to encounter magnetic media devices such as hard drives and optical media devices such as cDs.6( srrruv 187 FIGURE 5. but electronic devices such as USB drives are becoming more prevalent. such as the importance of making at least two copies of the data so that you can work on one copy while safeguarding the original copy and the suspect's device. After learning how data is stored in these various types of devices. you learned specific methods for acquiring data from each category. other guidelines are specific to a device. .6 CellDek GUI touch screen.

whereas CDs and DVDs use b. DAT. C. When two hard drives are on the same data cable. D. The main parts to the geometry of a hard drive are A. 3. and platters. Some of these tools are designed to work with a specific type of data. 0s and ls. . 5. SCSI and PIO. Which of the following A. IDE and EIDE. cylinders.. while others can be used for several different types of data. heads. B. IDE B. and Logicube have developed tools for capturing and analyzing data. is not a tape drive technology? 'gl sLT. D. DLT. C.I88 CHAPTER5 Data. One and two. The two most popular hard drive technologies in use today are A. PDA.'magnetic - C. A MULTIPLE CHOIGE QUESTIONS 1. D. linear D. heads. D. Primary and secondary. Paraben. chemical . cylinders. sectors. Master and slave. SCSI and EIDE. both drives must have which two settings for them to work? A. and sectors. none ofthe above. QrC. platters. and Cell Phone Forensics I number of suppliers such as Guidance. 4.C. 2. Most hard drive technologies iA) optical use magnetic technology to designate technology. and SCSI. First and second. such as that acquired from PDAs. and cylinders. C. B. AccessData.

rewritable.)flash memory. 7. MMS:B. The original CD format was r". a PDA that is switched offshould be A. SMS: /ol xtvts." C. I I. turned on. D. RAM memory. 8. USB drives use A. DIM. opened. time and date.t Your Skills 189 f$ single session. 12. Y cache memory. D. D. g) PrM. none of the above. Y. @) Ieft off.6( 6. . On seizure. All PDA devices come with A. B. {n. multisession. EMS. timeldate and boot order. disconnected. C. A. C. which of the following is not a messaging service available on cellular phones? A. SIM. writable. HFS a 9. TIM. C. RAM and boot order. Iwo items to document in the BIOS are (11. NTFS C. D. 10. number of hard drives and boot order. ATA D. B. tlost USB drives use the _ \ry EAT file system: B. D.

B. Search the Internet for details on third-generation cellular phone systems. 14.2: &smpest &gsk S*ms?dmx. EXERCISES Exercise 5. Using your computer lab PC. Compare compact disk 4. 1. Phase 3. ROM. 3. RAM. TIM. SIM. D. C. find out what type of session your cD drive supports and which cD standards are applicable to your PC. 802. microprocessors. To identify and authenticate the phone subscriber. srvr. a B. 15. Research the various standards used by compact disk manufacturers. D. Write a summary of what you have learned. standards with the newer DVD standards.ds 1.l90 CHAPTER 5 I Data. B.1 I Yk&rd*&esecra&$*m &e&&ex&*r Fkqxc*e $t$e&ws*prks The new generation of cellular phone networks has the capability to transfer various types of data across their networks. Bluetooth. PIM. cellular phones use A. CIM. PDA. C. and Cell Phone Forensics 13. 2. Li. PDAs have all of the following except A. Exercise 5. WiFi. Create a table to summarize your information' . 2. Lookfor future trends or directions this technology may take' 3. C.1 1. Which of the following is a phase generation standard for cellular phones? A.